All articles
NIS2

NIS2 Compliance Checklist: The 10 Article 21 Measures (2026)

A free, plain-English checklist of every security measure NIS2 requires under Art. 21, plus the registration and reporting duties. Copy it and work through it.

·KomplyEU

Use this checklist to see, in plain English, exactly what the NIS2 Directive (Directive (EU) 2022/2555) requires. It is free. Copy it, work through it, and confirm you are in scope first.

Step 0: confirm you are in scope

-> Run the NIS2 Applicability Checker, then read Does NIS2 apply to my company?. The measures below apply to both Essential and Important Entities.

The 10 cybersecurity measures (Art. 21)

Both entity types must implement all ten. They are risk-based, so scale them to your size and exposure.

  • 1. Risk analysis and information security policies - documented policies built on an all-hazards risk assessment.
  • 2. Incident handling - detection, response and recovery processes for security incidents.
  • 3. Business continuity - backups, disaster recovery and crisis management.
  • 4. Supply chain security - manage security in relationships with direct suppliers and service providers.
  • 5. Security in acquisition, development and maintenance - including vulnerability handling and disclosure.
  • 6. Effectiveness assessment - procedures to measure whether your measures actually work.
  • 7. Cyber hygiene and training - basic hygiene practices and regular staff cybersecurity training.
  • 8. Cryptography - policies on the use of cryptography and, where appropriate, encryption.
  • 9. HR security, access control and asset management - vetting, least-privilege access and an asset inventory.
  • 10. Multi-factor authentication and secure communications - MFA or continuous authentication, plus secured voice, video, text and emergency communications.

Governance and reporting (do not miss these)

  • Management accountability (Art. 20) - your management body must approve and oversee the measures and can be held personally liable. Directors must take cyber training.
  • Incident reporting (Art. 23) - early warning within 24 hours, full notification within 72 hours, and a final report within one month of a significant incident.
  • Registration - register with your national authority. Deadlines vary by country, and some have already passed.

Confirm your tier and fine ceiling

-> NIS2 Applicability Checker - Essential or Important, with your fine ceiling and obligations.

Source

Directive (EU) 2022/2555 (NIS2), Articles 20, 21 and 23

Last verified: 21 June 2026.

Verwandte Artikel